Progress Telerik Report Server pre-authenticated RCE chain (CVE-2024-4358/CVE-2024-1800)
Technical Analysis: https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800/
The deserialization issue was discovered and reported by an anonymous researcher, but no PoC was published (until now) due to the complexity of the vulnerability, in this blog post I’ll detail the full chain pre-authenticated Remote Code Execution, first I’ll begin with explaining the entire internals of the Telerik Report Server Custom Serializer and how it’s possible to achieve arbitrary command execution by exploiting a very interesting flaw in the mechanics of the serializer, then I’ll continue to explain the authentication bypass that I’ve discovered that was overlooked by the initial researcher.
Query:
Hunter: /product.name="Telerik report server"
FOFA: app="Telerik-Report-Server"
SHODAN: http.title:"Telerik report server"
Technical Analysis: https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800/
The deserialization issue was discovered and reported by an anonymous researcher, but no PoC was published (until now) due to the complexity of the vulnerability, in this blog post I’ll detail the full chain pre-authenticated Remote Code Execution, first I’ll begin with explaining the entire internals of the Telerik Report Server Custom Serializer and how it’s possible to achieve arbitrary command execution by exploiting a very interesting flaw in the mechanics of the serializer, then I’ll continue to explain the authentication bypass that I’ve discovered that was overlooked by the initial researcher.
Query:
Hunter: /product.name="Telerik report server"
FOFA: app="Telerik-Report-Server"
SHODAN: http.title:"Telerik report server"